Honeynet Project Workshop CrackMe Solution

Date of publication: 07/04/2014, CERT Polska

We have announced a CrackMe challenge, which allowed you to win a free pass for the Honeynet Workshop 2014 in Warsaw. Today, we closed the challenge, because the winners have already submitted 10 flags. The winners are Dariusz Tytko (from Poland) and @_zairon_, who also posted his solution to our CrackMe on his blog. We also include our solution below. Of course, if you still are solving it, the solution below contains spoilers.

Let’s start with some stats:

File has been downloaded 236 times.

114 flags have been submitted and 92 of them were correct.

23 people participated, including 13 Polish.

Almost all users have found 3 or more flags.

The task was to find 10 flags in a specially crafted file. Below are all of the flags described, starting with the ones that were easiest to find for our participants.

Flag:

<span class="text">ThisWasEasyToFind!</span>

(20 submissions)

A couple of minutes after we announced our challenge the file has already been uploaded to VirusTotal. Two of the tested antivirus solutions reported a false positive. The “File details” tab contains one of the flags. This was hidden in the “Comments” string of the file metadata. This data is displayed (at least in Windows XP) upon right clicking on the file and choosing “Properties”, as the screenshot on left shows. Alternatively, one could run the

<span class="text">strings</span>

tool with

<span class="text">-e l</span>

. This option resulted in showing the strings which where encoded in 16-bit Unicode in the Little Endian convention. The command is presented below, flag is in the 9th line.

Flag:

<span class="text">HowToFindStringsInPEYouKnow</span>

(15 submissions)

This flag could also be found by using the

<span class="text">strings</span>

tool. However, this time the binary file had to be unpacked. This file was packed with UPX, however one of the section names was changed. This resulted in a failure when one tried to use the standard tool:

Flag:

<span class="text">HaveNoFear,ConsoleFlagIsHere!</span>

running in the background, while starting our CrackMe. Flag was then written in the console, as is pictured below.

Flaga:

Flag:

<span class="text">VeryGoodHardDriveName</span>

(10 submissions)

Second dialog box that was showed when you simply run

<span class="text">CrackMe.exe</span>

is the one pictured on the left. It contained a clue that pointed to the Andromeda malware. This malware had a VM check implemented, and if it succeeded in detecting the VM than it executed a decoy code. However, malware authors also have tested Andromeda in a virtual environment, so they implemented a check that allowed users to bypass the VM detection. If the

<span class="text">C:</span>

had a label with CRC32 equal to

<span class="text">0x20C7DD84</span>

(most notably

<span class="text">CKF81X</span>

) our CrackMe displayed a new flag (pictured below).

Flag:

<span class="text">YouKnowHowToDebugCode!</span>

(9 submissions)

In order to find this flag CrackMe had to be debugged using e.g. OllyDbg or IDA Pro. The code check the debugger presence using the

<span class="text">IsDebuggerPresent</span>

function. If it detected the debugger a

<span class="text">You shall not pass!</span>

dialog box appeared. However, code continued to the function which used

and it can be used to decode byte array and obtain a flag. This can be achieved manually or by simply substituting

<span class="text">changeme</span>

with

<span class="text">_+&amp;!q</span>

in the debugger.

Flag:

<span class="text">RussianFlagItIs</span>

(8 submissions)

This flag was relatively easy to find, but people who did find it often did not know what to do with it. This flag was in the caption of the first dialog that was displayed when running CrackMe. It was written in Cyrillic and it needed to be transliterated to latin (or ASCII) alphabet. Few people, who apparently did not read the rules carefully, submitted the flag using original Cyrillic alphabet. Rules clearly stated that the flag had to start with

<span class="text">flag{</span>

and that it had to be a string composed of ASCII printable characters excluding whitespaces. This transliteration could be performed using Google Translate or manually. Another problem was the similarity between the letters: ф and Ф (small and big “f” letter). Some even chose to ignore the case all together. However, this problems only concerned two participants.

This code decoded the base64 encoded string (line 5) and then tried to decrypt it using the command line parameter as a password. Only first 5 characters of the parameter where taken into account. The simpliest solution was to brute force the password. Iteration over all the printable character strings of length 5 took about 10 hours using the Python script provided below. by adding parallelism or rewriting the brute force to C, we could brute force this in 2-3 hours.

(offset 0×05) and then decodes it to a flag. This was performed using a very simple encryption algorithm. First character was xored with

<span class="text">0x66</span>

(offset 0×08, 0×0b) and every consecutive byte was xored with the previously decrypted byte. This way we obtained a flag that was 16 bytes long (offset 0×10). Then the flag is displayed (offsety 0×16, 0×19, 0×1b) end the application exits with a return value 0 (offsety 0×1d, 0×20).

All that have to be done in order to get this flag was to run the CrackMe in e.g. DOSBox. This is presented in the screenshot on the right.

Summary

Challenge was on the intermediate level, and we received many responses. First person (from Poland) submitted last of the 10 flags on Saturday, 5th of April at 18:50:09 CEST. Foreign participant sent last of his 10 flags on 6th April at 18:48:06 CEST. Congratulations to both of them!

Social Media

YouTube Cert Polska

The CERT Polska team operates within the structures of NASK (Research and Academic Computer Network) — a research institute which conducts scientific studies, operates the national .pl domain registry and provides advanced IT services.